Fix critical cross site scripting

[sdc.git] / catalog-fe / src / main / java / org / openecomp / sdc / fe / servlets / PortalServlet.java

diff --git a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
index 6378b99..228f65d 100644 (file)
--- a/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
+++ b/catalog-fe/src/main/java/org/openecomp/sdc/fe/servlets/PortalServlet.java
@@ -113,7 +113,7 @@ public class PortalServlet extends HttpServlet {
      * @throws IOException
      */
     private void addRequestHeadersUsingWebseal(final HttpServletRequest request, final HttpServletResponse response)
-        throws ServletException, IOException {
+        throws ServletException, IOException, CipherUtilException {
         response.setContentType("text/html");
         // Create new request object to dispatch
         MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(request);
@@ -170,7 +170,6 @@ public class PortalServlet extends HttpServlet {
             getValueFromCookie(request, Constants.HTTP_CSP_FIRSTNAME);
             getValueFromCookie(request, Constants.HTTP_CSP_LASTNAME);
             //To be fixed
-
             //addAuthCookie(response, userId, firstNameFromCookie, lastNameFromCookie);
             RequestDispatcher rd = request.getRequestDispatcher("index.html");
             rd.forward(mutableRequest, response);
@@ -180,7 +179,7 @@ public class PortalServlet extends HttpServlet {
     }
 
     boolean addAuthCookie(HttpServletResponse response, String userId, String firstName, String lastName) throws IOException {
-        boolean isBuildCookieCompleted = true;
+        boolean isBuildCookieCompleted = false;
         Cookie authCookie = null;
         Configuration.CookieConfig confCookie = ConfigurationManager.getConfigurationManager().getConfiguration().getAuthCookie();
         //create authentication and send it to encryption
@@ -188,9 +187,9 @@ public class PortalServlet extends HttpServlet {
         try {
             AuthenticationCookie authenticationCookie = new AuthenticationCookie(userId, firstName, lastName);
             String cookieAsJson = RepresentationUtils.toRepresentation(authenticationCookie);
-            encryptedCookie = org.onap.sdc.security.CipherUtil.encryptPKC(cookieAsJson, confCookie.getSecurityKey());
+            encryptedCookie = CipherUtil.encryptPKC(cookieAsJson, confCookie.getSecurityKey());
+            isBuildCookieCompleted = true;
         } catch (Exception e) {
-            isBuildCookieCompleted = false;
             log.error(" Cookie Encryption failed ", e);
         }
         authCookie = new Cookie(confCookie.getCookieName(), encryptedCookie);
@@ -243,12 +242,13 @@ public class PortalServlet extends HttpServlet {
      * @param request
      * @param headers
      */
-    private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers) {
+    private void addCookies(final HttpServletResponse response, final HttpServletRequest request, final String[] headers)
+        throws CipherUtilException {
         for (var i = 0; i < headers.length; i++) {
             final var currHeader = ValidationUtils.sanitizeInputString(headers[i]);
             final var headerValue = ValidationUtils.sanitizeInputString(request.getHeader(currHeader));
             if (headerValue != null) {
-                final var cookie = new Cookie(currHeader, headerValue);
+                final var cookie = new Cookie(currHeader, CipherUtil.encryptPKC(headerValue));
                 cookie.setSecure(true);
                 response.addCookie(cookie);
             }